Changes

Jump to: navigation, search

OPS235 Assignment 2 OLD

34 bytes added, 10:29, 21 March 2012
no edit summary
== Required Tasks (TOTAL: x Marks) ==
== About SELinux ==
 
SELinux stands for ''Security Enhanced Linux'' and is based on research performed at NSA and other locations. Where the normal Unix/Linux security system, based upon file permissions, is a ''discretionary access control'' system (DAC), SELinux is a ''mandatory access control'' system (MAC). This means that it attempts to enforce a consistent policy across the entire system, on top of the settings that any user has configured.
 
SELinux decisions are based on the ''security context'' of system resources such as files and processes. The security context consists of a user, role, type, and sensitivity component; you can see the security context of files and processes by adding the <code>-Z</code> option to the <code>ls</code> and <code>ps</code> commands:
 
$ ls -lZ
drwxr-xr-x. root root '''system_u:object_r:file_t:s0''' arm
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' arm2
drwxrwxr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' bin
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Desktop
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Documents
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Downloads
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora0.ks
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora1.ks
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora2.ks
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora3.ks
-rw-rw-r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' foo
-rw-r--r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' hosts
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Music
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Pictures
drwxrwxr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' play
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Public
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Templates
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Videos
-rw-r--r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' x
[chris@muskoka ~]$ ps -Z
LABEL PID TTY TIME CMD
'''unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023''' 2595 pts/1 00:00:00 bash
'''unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023''' 2612 pts/1 00:00:00 ps
The SELinux policy controls the interactions between security contexts. For example, the policy may specify that the Apache httpd webserver cannot read files in <code>/etc</code>, so if an attacker finds a way to make httpd (or a script run by httpd) read a file in <code>/etc</code>, SELinux will recognize that this is not normal and will deny the access. Since this is done at the kernel level, httpd will get a "file not found" error, even though the file is present, and there is no way for httpd to work around that error.
 
=== SELinux Context Commands ===
 
There are two main commands used to set the SELinux security context of files:
# chcon - sets the security context of a file to a particular value
#* Example: setting the ''type'' of a file: <code>chcon -t ''unconfined_t'' ''/tmp/foo''</code>
#* Example: setting the user/role/type of a file: <code>chcon ''unconfined_u:object_r:user_home_t'' ''~/foo''</code>
# restorecon - resets the default security context of a file
#* Example: reset the context of one file: <code>restorecon /etc/services</code>
#* Example: recursively reset the contexts of all of the files in a directory: <code>restorecon -R ~</code>
 
You can reset the default security context of the entire system at the next boot with this command:
 
touch /.autorelabel
 
=== SELinux Booleans ===
 
SELinux policy can be tuned (without writing an entirely new policy) through the use of ''booleans'' or option switches. Each boolean can have a value of on (1) or off (0).
 
The <code>getsebool</code> and <code>setsebool</code> commands can be used to view and set SELinux boolean values:
 
{|class="mediawiki sortable" border="1" cellspacing="0"
!Command
!Description
|-
|<code>getsebool -a</code>
|Displays all SELinux booleans
|-
|<code>getsebool ''foo''</code>
|Displays the SELinux boolean ''foo''
|-
|<code>setsebool ''foo'' ''value''</code>
|Sets the SELinux boolean ''foo'' to ''value'' (where ''value'' is 0 or "off", or 1 or "on")
|}
 
 
=== SELinux Graphical Tools ===
 
The ''system-config-selinux'' tool, which is on the menu as System>Adminstration>SELinux Management, provides a GUI for managing SELinux booleans and more.
 
 
{{Admon/note|Takes Notes!|Take detailed notes of the steps you perform from this point onward -- you will need them for the wiki pages you will create later.}}
== Installing Packages ==
{{Admon/tip|Bonus Opportunity!|Change the default icon in the upper-left corner of your MediaWiki installation to a picture of your choosing. Be sure that you have copyright clearance to use that image (e.g., it is licensed to you, or it is a picture you own).}}
 
== Bonus: SELinux (x Marks) ==
 
== About SELinux ==
 
SELinux stands for ''Security Enhanced Linux'' and is based on research performed at NSA and other locations. Where the normal Unix/Linux security system, based upon file permissions, is a ''discretionary access control'' system (DAC), SELinux is a ''mandatory access control'' system (MAC). This means that it attempts to enforce a consistent policy across the entire system, on top of the settings that any user has configured.
 
SELinux decisions are based on the ''security context'' of system resources such as files and processes. The security context consists of a user, role, type, and sensitivity component; you can see the security context of files and processes by adding the <code>-Z</code> option to the <code>ls</code> and <code>ps</code> commands:
 
$ ls -lZ
drwxr-xr-x. root root '''system_u:object_r:file_t:s0''' arm
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' arm2
drwxrwxr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' bin
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Desktop
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Documents
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Downloads
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora0.ks
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora1.ks
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora2.ks
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora3.ks
-rw-rw-r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' foo
-rw-r--r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' hosts
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Music
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Pictures
drwxrwxr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' play
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Public
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Templates
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Videos
-rw-r--r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' x
[chris@muskoka ~]$ ps -Z
LABEL PID TTY TIME CMD
'''unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023''' 2595 pts/1 00:00:00 bash
'''unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023''' 2612 pts/1 00:00:00 ps
 
The SELinux policy controls the interactions between security contexts. For example, the policy may specify that the Apache httpd webserver cannot read files in <code>/etc</code>, so if an attacker finds a way to make httpd (or a script run by httpd) read a file in <code>/etc</code>, SELinux will recognize that this is not normal and will deny the access. Since this is done at the kernel level, httpd will get a "file not found" error, even though the file is present, and there is no way for httpd to work around that error.
 
=== SELinux Context Commands ===
 
There are two main commands used to set the SELinux security context of files:
# chcon - sets the security context of a file to a particular value
#* Example: setting the ''type'' of a file: <code>chcon -t ''unconfined_t'' ''/tmp/foo''</code>
#* Example: setting the user/role/type of a file: <code>chcon ''unconfined_u:object_r:user_home_t'' ''~/foo''</code>
# restorecon - resets the default security context of a file
#* Example: reset the context of one file: <code>restorecon /etc/services</code>
#* Example: recursively reset the contexts of all of the files in a directory: <code>restorecon -R ~</code>
 
You can reset the default security context of the entire system at the next boot with this command:
 
touch /.autorelabel
 
=== SELinux Booleans ===
 
SELinux policy can be tuned (without writing an entirely new policy) through the use of ''booleans'' or option switches. Each boolean can have a value of on (1) or off (0).
 
The <code>getsebool</code> and <code>setsebool</code> commands can be used to view and set SELinux boolean values:
 
{|class="mediawiki sortable" border="1" cellspacing="0"
!Command
!Description
|-
|<code>getsebool -a</code>
|Displays all SELinux booleans
|-
|<code>getsebool ''foo''</code>
|Displays the SELinux boolean ''foo''
|-
|<code>setsebool ''foo'' ''value''</code>
|Sets the SELinux boolean ''foo'' to ''value'' (where ''value'' is 0 or "off", or 1 or "on")
|}
 
 
=== SELinux Graphical Tools ===
 
The ''system-config-selinux'' tool, which is on the menu as System>Adminstration>SELinux Management, provides a GUI for managing SELinux booleans and more.
 
 
{{Admon/note|Takes Notes!|Take detailed notes of the steps you perform from this point onward -- you will need them for the wiki pages you will create later.}}
== Submitting Your Assignment ==
13,420
edits

Navigation menu